ZyXEL → Zyxel USG 20 and Sonic.net ipv6?

Has anyone been successful in configuring a USG 20 and Sonic.net ipv6? The examples given by Zyxel in its user guide and application notes doesn't seem to jive with what Sonic.net provides for information.

For example, Sonic.net provides a:

"sonic-side v4 address" (which is assume is the ipv4 address of the Sonic's tunnel)
"customer-side" (which is my static WAN ipv4 address)
"Transport" (which is a 2001.../127 address - ?)
"Network" (which is a 2001.../60 address - my LAN?)

There are a number of examples, including for an Airport Extreme, but nothing for Zyxel (no surprise).

Anyone have any suggestions of where I can read up and figure this out?

Look for a support note from ZyXEL that shows how to set it up IPv6.

But you are right, Network is your LAN and Transport is your WAN.

Since the setup for native IPv6 and the varies IPv6 tunnel types (6in4, 6to4, teredo) are all different make sure you look for instructions on how to configure a 6in4 tunnel (this is what Sonic.net provides).

Can I assume IPv6-in-IPv4 is 6in4?

The term "IPv6-in-IPv4" appears in RFC 4213 which defines "Basic Transition Mechanisms for IPv6 Hosts and Routers" including 6in4 tunnels (interestingly, the term "6in4" is not used in the RFC).

I'm fairly certain that the two terms have the same meaning.

Okay, well, this isn't working. I'm using the IPv6-in-IPv4 example here on page 50.

»www.zyxel.com/web/downlo ··· _quarter

(the application notes has only a 6to4 configuration example)

The tunnel example seems straightforward - put the sonic-side v4 address in the Remote Gateway entry.

The Ethernet example is a bit more complicated. I assume I put the "Network" (LAN) address in the Router Advertised Prefix Table? And then I put the customer-side transport IPv6 address in the IPv6 Address/Prefix Length field? I also noticed that the SLAAC checkbox isn't ticked off like it is in the 6to4.

Any suggestions? My computers aren't getting an IPv6 address. I'm tempted to try using my Airport Extreme and seeing how that would work.

Help!

Why beat your head against the wall....... oh wait, probably a cisco guru ;-P, Call 800-255-4101 ext 5 and ask tech support.
I am curious as to their level of readiness for such inquiries.

This has been kind of maddening for someone like me with only a basic grasp of IPv4, let alone IPv6.

Even though my ISPs don't yet support IPv6, I was playing around with the IPv6 configuration from the examples in the documentation for my USG50 and somehow managed to mess things up enough so that my Linux virtual machines could no longer grab IPv4 LAN addresses from the USG50 DHCP server. I think I'll hold off on IPv6 for a bit until someone hopefully posts an idiots guide to IPv6 on Comcast...

I'm there too. After one more bout of my USG 20 having to restore firmware from the last good version on a reboot, I'm done with trying to configure this thing for IPv6. Things were so much simpler with my old Z2, and now things are exponentially more complicated to configure (and more powerful, of course) with my USG 20.

I was playing around with the IPv6 capabilities of my Airport Extreme that I'm using as an AP, and while it was able to configure a tunnel apparently, access to IPv6 sites was timing out. I'm sure it has to do with the fact that I'm using my USG 20 as my router, but I was hopeful that it might be possible to have a separate box be able to be the IPv6 router, but I guess not.

I tried looking at the documentation that you linked to above, but I got prompted for a password when I tried to read it ?

I think that putting the customer-side transport IPv6 address anywhere in the local ethernet side configuration would be a mistake but lacking documentation for the USG I'm not sure.

As long as the USG doesn't block IPv4 protocol number 41 you should be able to setup another router as IPv6 router on your local network (behind the USG 20).

Here's another link. It actually redirects to an anonymous FTP site.

»ftp://ftp2.zyxel.com/ZyWALL_US ··· _Ed1.pdf

I'll try open up 41 and see if I can use the AE tonight...

It has been my experience that the most recent Acrobat Reader can open the file without a password while other pdf readers cannot. This is on Ubuntu.

kirby

Based on the manual that you linked to (since I don't have a USG):

Step 2.8.2 Setting Up the IPv6-in-IPv4 Tunnel
The example shows a WAN interface (wan1) that has a dynamic IPv4 address. If you have a static IPv4 address for your router you would enter it in Gateway Settings under IP Address (instead of Interface). This is especially important if you have a block of 4 or 8 static IP addresses!
If you only have a dynamic IP address follow the example and specify your address by selecting the Interface.
The USG 20 shows the tunnel IPv6 Address Assignment as optional, but since that information is provided by Sonic I would enter it.

Edit: bigboy confirms that the IPv6 Address Assignment for the tunnel is important. Enter the customer-side IPv6 address (4) in this field together with the /127 prefix length.

Ethernet and Policy setup to follow.

Quick question (great thread and input by the way), are people being forced to implement IPV6 already??

I have not heard of anybody that has IPv4 address(es) being forced to adopt IPv6. However AT&T is using one of the private IP address blocks (10/8) for its uverse CGN network (which is part of their IPv6 strategy). This means that customers that are using this block for their home network will have to switch to one of the other private IP address blocks.
Therefore some (probably few) customers have to make changes because of IPv6 even if they are not planning on using it.

Step 2.8.3 Setting Up the LAN IPv6 Interface
There are two parts to this. First you have to pick one of the IP addresses in your IPv6 network block and assign it to the router (IPv6 Address Assignment). This is the address that all your computers will use to sent traffic to the router. Typically that is the address XXXX:XXXX:XXXX:XXX0::1 where the Xs stand for the prefix of your assigned IPv6 address block.
The second part is configuring the IPv6 block and its prefix length (/60 for Sonic.net tunnels) in the IPv6 Router Advertisement section.

Properly configured your router will advertise its own IPv6 address (so that everybody knows how to find the router) and the IPv6 block (so that SLAAC, the stateless address auto configuration can work in the hosts).

Edit: based on the findings from bigboy :
- be sure to keep the SLAAC checkbox blank (as shown in the picture above from the USG documentation)
- instead of the /60 prefix provided by Sonic.net use the smaller /64 prefix typically used for IPv6 LANs. This is valid, it just means that you only use a portion of the assigned address block.
- stick with the default ::1 as the router address.

Still to come, policy routing.

In step 2.8.2 you created the 6in4 tunnel between your router and Sonic.net.
In step 2.8.3 you gave your LAN Ethernet interface an IPv6 address and configured your router to send out Router Advertisements (a key feature of IPv6 networking).
What is still missing is the connection between the LAN Interface and the 6in4 tunnel and this is were policy based routing comes in:


USG Policy

This is very similar to what I tried last. What is puzzling is that my Mac is not picking up an IPv6 address (it's configured to Automatic in the Network settings). When I was screwing around with my AE, my Mac automatically picked up a IPv6 address - it's not doing it with the Zyxel, or is the assumption that I have a static IPv6 address for each device with this 6in4 configuration?

Done any changes to your net since then? Router Advertisments and Solicitations are done with multicast.

Yes, if you do not migrate within a fortnight, you will be banned from the internet....

In order for your computers on the LAN to get an automatic assignment of a IPv6 address with global scope you only need the configuration in step 2.8.3 to configure the LAN Ethernet interface (both IPv6 Address Assignment and IPv6 Router Advertisement Setting are important as well as the Enable IPv6 checkbox). Even without policy based routing and without a working 6in4 tunnel this should give your USG an IPv6 address and cause it to respond to router discovery requests.
You do not need to assign static IPv6 addresses to your computers, but you could try a static IPv6 address (out of your assigned block) to see if you can ping the router with IPv6 ping.

One thing to make sure is that you do not have another IPv6 router (such as the AE) configured at the same time on your network. If the AE is still holding the ::1 IPv6 address for your network block, the USG will probably not work because of the address conflict.

You previously mentioned using the customer side IPv6 address in the Ethernet IPv6 Address Assignment. I'm assuming you fixed that ?

That would be a shame, who would keep you accountable then, it would be a disaster free for all.

That's what I thought re:Address Assignment and Router Advertisement. The USG 20 is not handing out addresses. I guess I can try the static address approach, but given it's my laptop, I don't want to be using static addresses because I use it in more than one location.

I don't think it's the rest of my network, as the Airport Extreme, when I have it doing IPv6 has no problem handing them out to devices on the network. I suppose I could just have the Airport do the tunnel, but it just seems strange that the Zyxel isn't doing its job.

I didn't mean static assignment as a solution, just for troubleshooting.

There could be something that we are missing since the IPv6-in-IPv4 example in the manual is showing how to use that protocol for site-to-site tunneling. Perhaps there is a small difference somewhere when using 6in4 to an ISP or Tunnelbroker for Internet access ?

You may have already done this, but just in case:That is in addition to the individual Enable IPv6 settings on the Ethernet, Policy Routing and other screens. IPv6 needs to be enabled on the LAN Ethernet interface and the Policy Routing screens but not on the WAN Ethernet interface (the traffic through the WAN interface is IPv4).

The examples I created show how to use the entire Sonic.net IPv6 block which is a /60 prefix. The typical prefix length for an IPv6 LAN is a smaller /64 which is also what the USG manual shows in the native IPv6 example. You could try changing the /60 prefix length to /64. While that leaves much of your IPv6 address block unusable, I'm pretty sure 4 billion * 4 billion IPv6 addresses for home use might just be enough It may be worth trying in case the USG wants exactly a /64 prefix.

You can also turn on the DHCPv6 server in the USG but stateless address auto configuration (SLAAC) should be working by itself.

Note that the SLAAC box isn't ticked in the Zyxel config example, though it doesn't seem to make a difference (I tried both).

Interesting comment on the /60 vs. /64. I will try that later today.

Given that IPv6 is new for Zyxel USG, I guess we shouldn't be surprised with teething problems...

The /60 vs. /64 was it. Once I changed it to /64, I was able to pick up an address.

Now back to fiddling with the tunnel. I'm not able to get out, but at least I can get an IPv6 address...

Huzzah! Success.

Ethernet configuration:
1. SLAAC needs to be turned off for 6in4
2. I was being cute with IPv6 Address/Prefix Length. Stick with :1
3. As noted earlier, this implementation doesn't support /60 - need to use /64 (this is a bug to me)

Tunnel
1. You are correct with the customer-side transport IP - needs to be in the IPv6 Address/Prefix Length, which is blank in the Zyxel example.

Policy Route example is correct. (EDIT) Make sure you use the /64 subnet for LAN1_SUBNET (/EDIT)

Thanks for all the help.

Congratulations on your success and thanks for following up with the details that made it work.

Hopefully this will be helpful for other USG owners that want to setup 6in4 tunnels to their ISP (like Sonic.net) or a tunnelbroker (like he.net).

Thanks!

Thanks leibold, this is good stuff. It would be interesting to see a similar post for a IPv6 native dual stack configuration to support something like what Comcast is rolling out.